Vamsi-klu opened a new pull request, #62658: URL: https://github.com/apache/airflow/pull/62658
## Summary - Replace hardcoded `allow_credentials=True` in CORSMiddleware with configurable `[api] access_control_allow_credentials` option (default: `False`) - Log a warning when `allow_credentials=True` is used with wildcard (`*`) origins, as this creates CSRF risk - Add config option to `config.yml` template ## Test plan - [ ] Verify default behavior: `allow_credentials=False` when option not set - [ ] Verify setting `access_control_allow_credentials = True` enables credentials - [ ] Verify warning is logged when credentials + wildcard origins are configured - [ ] Run `pytest tests/api_fastapi/core_api/test_app.py -v` **Note:** This is a breaking change for deployments that rely on CORS credentials being enabled by default. 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
